From 1c5fa36360a890dfe6f377d4993b78a89f22dc4f Mon Sep 17 00:00:00 2001 From: Dave Ward Date: Mon, 18 Jan 2010 19:47:40 +0000 Subject: [PATCH] Merged V3.2 to HEAD 18088: ETHREEOH-3787: Addition of liferay-display.xml to define category for demo portlet 18053: Build fix: Re-enable log ins to Alfresco web app when not running in a portlet container - Removed direct dependencies between FacesHelper and portlet API 18037: Merged DEV/DAVEW/SURFPORTLET to V3.2 17669: Changes to enable surf rendering from a portlet - New DispatcherPortlet forwards portlet requests to the DispatcherServlet as servlet requests. - A new filter 'lazily' creates users' dashboard pages to avoid the need to have to redirect from site-index.jsp - Build against JSR 286 portlet 2.0 API jar - Exclude portlet API jar from war to avoid ClassCastExceptions - Lazily init portlet authenticators to avoid ClassNotFoundExceptions when not running in a portlet container - Fix web.xml schema validation problems - UserFactory session keys given unique prefix to avoid class with Liferay shared session attributes - Liferay deployment descriptor to enable user principal name resolution - Fixed subsystem problem that prevented the override of a property with the empty string in alfresco-global.properties. Stopped 'unprotected' external auth from working. 18019: ETHREEOH-3770: LDAP sync now supports attribute range retrieval to get around limits imposed by Active Directory on multi-valued attributes - Meant that groups with more than 1000 members were getting truncated in Active Directory - Now switched on in ldap-ad and off in ldap subsystem - Also switched off result set paging in ldap subsystem by default for wider compatibility with non-AD systems 17759: Merged DEV/BELARUS/V3.2-2009_11_24 to V3.2 17755: ETHREEOH-3739: build 283: Upgrades from 3.1.1 and 3.1.2 fail on JBoss 5.1 - The getFile method was created for ImapFoldersPatch to retrieve acp file for ACPImportPackageHandler. - This method tries to load ACP file from file location and if it is unsuccessful then creates temporary file from resource input stream. - In other words we apply aproach from ImporterBootstrap. 17600: ETHREEOH-1002: Avoid using HTTP 1.1 chunked transfer encoding to send heartbeat data because some proxy servers can't cope with it! - Unit test can now parse chunked and un-chunked HTTP requests 17597: Further optimizations to authority caching - Don't invalidate entire user authority lookup cache when user added to or removed from an authority 17588: Fix up authority caching - Need to include tenant domain in cache key - Also reinstated cache of user recursive group memberships for performance purposes 17559: ETHREEOH-3440: Authority search performance improvements - AuthorityDAO now uses Lucene (again) to do wildcard style authority searches by name, type and zone - Retrieval by exact name, type and zone still performed by DB methods - DB methods now optimized to avoid having to load group child nodes to determine group membership - Authority cache now stores authority node refs by name to reduce authority resolution queries - ScriptGroup avoids hammering repository with multiple searches to determine group membership 17545: ETHREEOH-3371: Fixed group searches to search within the default zone and thus hide 'invisible' WCM and Share groups. 17527: ETHREEOH-3375: Use static inner class for cache key to avoid non serializable exceptions 17523: ETHREEOH-3337: Fix NPEs in RepoServerMgmt operations - Transactional cache can have entries with non-null keys and null values 17521: ETHREEOH-3158: Proper handling of user validation failures in Kerberos Authentication filters. 17490: Fix failing HeartBeatTest - Prevent possibility of both test and non-test public keys being used at the same time 17481: Fix build for Jan - Removed JDK 1.6 String.isEmpty() references 17472: Follow-on for ETHREEOH-2648 - tighten guest login, eg. if no guest configured (in auth chain) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@18108 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../web-scripts-application-context.xml | 2 +- .../BaseKerberosAuthenticationFilter.java | 65 ++++++++++++++----- 2 files changed, 50 insertions(+), 17 deletions(-) diff --git a/config/alfresco/web-scripts-application-context.xml b/config/alfresco/web-scripts-application-context.xml index 9aa03cb600..7cbd27d7a3 100644 --- a/config/alfresco/web-scripts-application-context.xml +++ b/config/alfresco/web-scripts-application-context.xml @@ -190,7 +190,7 @@ - + diff --git a/source/java/org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.java index beca7887dd..9ca15f88ed 100644 --- a/source/java/org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.java @@ -56,6 +56,7 @@ import org.alfresco.jlan.server.auth.spnego.NegTokenTarg; import org.alfresco.jlan.server.auth.spnego.OID; import org.alfresco.jlan.server.auth.spnego.SPNEGO; import org.alfresco.repo.SessionUser; +import org.alfresco.repo.security.authentication.AuthenticationException; import org.apache.commons.codec.binary.Base64; import org.ietf.jgss.Oid; @@ -313,6 +314,17 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica return; } + // Check if the login page is being accessed, do not intercept the login page + if (hasLoginPage() && req.getRequestURI().endsWith(getLoginPage())) + { + if (getLogger().isDebugEnabled()) + getLogger().debug("Login page requested, chaining ..."); + + // Chain to the next filter + chain.doFilter( sreq, sresp); + return; + } + // Check the authorization header if ( authHdr == null) { @@ -325,7 +337,10 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica if (checkForTicketParameter(context, req, resp)) { - // Chain to the next filter + // Filter validate hook + onValidate( context, req, resp); + + // Chain to the next filter chain.doFilter(sreq, sresp); return; @@ -397,18 +412,29 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica { // Kerberos logon - if ( doKerberosLogon( negToken, req, resp, httpSess) != null) + try { - // Allow the user to access the requested page + if ( doKerberosLogon( negToken, req, resp, httpSess) != null) + { + // Allow the user to access the requested page + onValidate(context, req, resp); + + chain.doFilter( req, resp); + } + else + { + // Send back a request for SPNEGO authentication - chain.doFilter( req, resp); + restartLoginChallenge( resp, httpSess); + } } - else + catch (AuthenticationException ex) { - // Send back a request for SPNEGO authentication - - restartLoginChallenge( resp, httpSess); - } + // Even though the user successfully authenticated, the ticket may not be granted, e.g. to + // max user limit + onValidateFailed(req, resp, httpSess); + return; + } } } catch ( IOException ex) @@ -512,14 +538,13 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica if ( negTokenTarg != null) { - - // Create and store the user authentication context - - SessionUser user = createUserEnvironment( httpSess, krbDetails.getUserName()); - + // Create and store the user authentication context + + SessionUser user = createUserEnvironment(httpSess, krbDetails.getUserName()); + // Debug - - if ( getLogger().isDebugEnabled()) + + if (getLogger().isDebugEnabled()) getLogger().debug("User " + user.getUserName() + " logged on via Kerberos"); } } @@ -531,6 +556,14 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica getLogger().debug( "No SPNEGO response, Kerberos logon failed"); } } + catch (AuthenticationException ex) + { + // Pass on validation failures + if (getLogger().isDebugEnabled()) + getLogger().debug("Failed to validate user " + krbDetails.getUserName(), ex); + + throw ex; + } catch (Exception ex) { // Log the error